Asia’s exposure to fraud will climb as more processes move to the digital realm and organisations embark on their digital transformation.
For banks, credit and debit cards typically accounted for a large part of fraud losses, especially as e-commerce transactions increased, Derek Wylde, former head of group fraud risk and security at HSBC Bank, who now runs his own consultancy.
Pointing to the UK market, he said online and e-commerce accounted for the bulk of credit and debit fraud by value as well as volume.
And while the level of fraud currently might be lower in Asia compared to other regions due to the lower rewards for hackers, this could soon change, said Keith Swanson, SAS’s Asia-Pacific director of fraud, financial crimes and security intelligence. SAS and HSBC jointly developed a system to monitor debit and credit cards that later evolved into a monitoring tool for all transaction types, including online, mobile, and traditional banking.
The average transaction value as well as average account balance of consumers in some Asian markets were just a small fraction of the average account balance in the US. This might place some Asian markets as low targets for hackers due to the potentially lower returns.
This, however, could change as businesses continued to digitise their operations and e-commerce transactions in the region maintained their upward trajectory, Swanson said. Noting that card-based transactions had a higher propensity for fraud, he said increased e-commerce activities across Asia could push up fraudulent incidents.
He added that the weakest link today came from digitisation.
Banks worldwide were reducing the number of physical branches and moving more of their services online. Most businesses and industries, too, increasingly were thinking about digital transformation, but might not necessarily be thinking sufficiently about security at the same time.
With media now a form of digital record, this put more emphasis on the need to protect data as well as how authentication was carried out, Swanson said. For instance, people now could file their taxes and make insurance claims without having to show up physically at the counter to do so.
He also pointed to India’s recent demonetisation, in which the move to take cash out of society would drive the movement towards digital. In addition, the Indian central bank’s increased willingness to issue payments and banking licenses as part of efforts to drive market competition would see newer players handling transactions.
Coupled with the digital movement, India would need to figure out what the rise in new banking licenses could mean for the country’s fraud landscape, he said.
Businesses worldwide that had yet to think through the process of securing all digital channels would be opening themselves up to fraud, he added, noting that while banks already would be operating robust infrastructures, any vulnerability in systems owned by third parties such as merchants or retailers would put the entire ecosystem at risk.
APAC consumers lack security confidence
And some consumers, it seems, are concerned.
According to a study released this week, just 46 percent of Asia-Pacific respondents trusted businesses to safeguard their financial and payments information. Confidence was lowest among Singapore at 36 percent, while 40 percent in Australia, 42 percent in New Zealand, and 47 percent in Indonesia trusted businesses. Sixty percent in India trusted businesses with their financial and payments data, while 51 percent in Thailand felt the same.
Released by ACI Worldwide and Aite Group, the study polled more than 6,000 consumers in 20 countries including six in Asia-Pacific. There were approximately 300 respondents in each market, which also included markets such as Germany, France, Sweden, Canada, and the UK.
Some 80 percent across Asia-Pacific felt secure with mobile wallets, with Indians the most comfortable at 94 percent.
In terms of fraud concerns, most in the region pointed to theft by computer hacking. Once breached, the majority would stop shopping with the merchant. Most of the respondents also expressed interest in receiving a call or SMS message to mitigate fraud.
ACI’s vice president and global lead of fraud and data, Andreas Suma, said in the report: “This data is a further wakeup call to the broader payments industry, including merchants, banks, and financial intermediaries, that we must proactively educate consumers about security measures that are in place.
“[This is] to allay consumer concerns, which will not only result in enhanced customer experiences, but also help to reduce fraud losses,” Suma said. “Moreover, consumers must become more proactive in securing their personal data by using the fraud prevention measures and services offered by their financial institutions.”
HSBC, for one, adopted a layered approach, Wylde said, adding that the bank worked to ensure its customers had the necessary cybersecurity tools such as anti-malware and device ID monitoring tools to identify any unusual login activities. It also encouraged customers to adopt strong authentication and password policies.
On its part, the bank would halt transactions that looked suspicious and out-of-sync with the customer’s spending pattern, he said. Because there was no silver bullet to combat fraud, he underscored the need for data analytics to monitor and identify potential risks.
Wylde explained that banks in Singapore, for example, were required to report suspicious activities such as money-laundering to the industry regulator. Most tended to be cautious and would over-report.
While false positives were inevitable, he noted, these could be better managed if data analytics were applied.
He suggested the Monetary Authority of Singapore (MAS), as the central figure and regulator, also could use analytics to assess reports across the various banks, identify potential links with suspicious activities, and work with the banks to address these.
MAS last week said it was setting up a data analytics group to guide the regulator as well as local financial sector towards the digital economy. It would drive efforts to tap data for deeper insights and enhance work efficiencies within MAS as well as facilitate the supervision of financial institutions.
Asked if PINs and OTPs (one-time passwords) should be replaced with biometrics, Wylde acknowledged that the latter was more user-friendly and a more secured authentication method. However, it also carried risks.
He said banks might hesitate to adopt biometric-based authentication because it meant they would be responsible for securing another piece of customer data in their database. Furthermore, while passwords could be quickly changed if compromised, this would not be possible with biometrics data, he noted.
Swanson concurred, adding that biometrics and security tokens were just variations of the identity component and part of the authentication process. What remained more important was how the data was secured and how banks were able to deal with compromises, he said.
Source: SANS ISC SecNewsFeed @ February 23, 2017 at 06:54PM